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CLAIMS 




We claim: 



A apparatus for key management comprising: 



a multitude of key registers; 



\ 



(b) a multitude of type fields, wherein each type field is associated with a key 
registers; 

(c) a key management controller; 

(d) key management algorithms; and 

(e) key management fiinctions. 

2. The apparatus according to claim 1 wherein each type field contains at least one of the 
values including KK, DK, and null. 

3. The apparatus according to claim 2 wherein the contents of a key register with an 
associated type field whose value is KK is used to encrypt and decrypt the contents of 
other key registers. 

4. The apparatus according to claim 1 wherein said key management functions include 
an unwrap fiinction, said unwrap fiinction including: 

(a) a wrapped key parameter for specifying an unwrapping key; 

(b) a type parameter for specifying an unwrapping key type; 

(c) an index parameter for specifying where to store the xmwrapped key; and 

(d) a wrapped key index parameter for specifying a wrapped key; 

said unwrap fimction capable of unwrapping the wrapped key using the specified 
unwrapping key and an algorithm determined by the unwrapping key type. 
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1 5. The apparatus according to claim 1 wherein said key management functions include a 

2 wrap function, wherein said wrap function includes: 

3 (a) an index parameter for specifying a wrapping key; and 

4 (b) a wrapping key index parameter for specifying a wrapping key key; 

5 said wrap function capable of wrapping the wrapping key using the specified 

6 wrapping key key. 



The apparatus according to claim 1 wherein said key management functions include a 
data encryption function, said data encryption function includes: 

(a) a data parameter for specifying encryption data; and 

(b) a key index parameter for specifying an encryption key; 

said encryption function capable of encrypting the specified encryption data using the 
specified encryption key. 



: — S 

¥ 7. The apparatus according to claim 1 wherein said key management functions include a 

2 data decryption function, wherein said data decryption function includes: 

3 (a) a cipher parameter for specifying a cipher for decryption; and 

4 (b) a key index parameter for specifying a decryption key; 

5 said decryption function capable of decrypting the specified cipher using the specified 

6 decryption key. 

1 8. The apparatus according to claim 1 wherein said key management functions include a 

2 data load function, wherein said data load function includes: 

3 (a) a key parameter for specifying a plaintext key; and 



1 6. 

1 

s 
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4 (b) an index parameter for specifying a destination key register; 

5 said data load function capable of loading the specified plaintext key into the 

6 destination key register. 

1 9. The apparatus according to claim 1 wherein said key management functions include a 

2 register clear function, wherein said register clear function includes an index 

3 parameter for specifying a key register, and is capable of clearing the specified key 

4 register and an associated type field. 

' f 10. The apparatus according to claim 1 wherein said key management functions include 

% an initialize function, wherein said initialize function is capable of: 

|i (a) clearing said multitude of key registers; 

(b) storing a specified plaintext key in an indexed register; and 

5 (c) storing a KK value in the type field associated with the indexed register. 

J5 11. The apparatus according to claim 1 wherein said multitude of key registers has a 

2 hierarchy. 

1 12. The apparatus according to claim 1 1 wherein said contents of a key register can only 

2 be used to wrap the contents of a lower hierarchical level key register. 



1 13. 



The apparatus according to claim 1 1 wherein said hierarchy has more than one root. 
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1 14. The apparatus according to claim 1 wherein a key management function uses a key 

2 management algorithm determined by the value stored in the type field associated with 

3 the key register being operated on by said key management function. 

1 15. The apparatus according to claim 1 wherein said apparatus uses public key negotiation 

2 protocols to share new keys with other key management apparatuses. 

1 16. The apparatus according to claim 1 wherein said key management algorithms includes 

2 an encryption algorithm for wrapping a DK with a KK, wherein the wrapped data key 
I =Ekk(Ekk(DK)). 

li 17. The apparatus according to claim 1 wherein said key management algorithms include 

111 

M a decryption algorithm for unwrapping a DK with a KK, wherein the wrapped data 

1 key = EKK(EKK(DK)). 

^5 18. The apparatus according to claim 1 wherein said key management algorithms include 

2 encryption and decryption algorithms that use a bitwise exclusive-or operator. 

1 A method for key management comprising the steps of: 

2 (a) storing a data key in a key register; 

3 (b) storing an data type for said data key in an associated type field; 

4 (c) storing a key key in a key register; 

5 (d) storing a key type for said key key in an associated type field; and 

6 (e) performing a key management function on at least one key register using a key 

7 management algorithm. 
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1 20. The method according to claim 19 wherein said data type is at least one of the values 

2 including KK, DK, and null. 

1 21 . The method according to claim 19, wherein said step of performing a key management 

2 function includes performing an unwrap function, said unwrap function includes the 

3 steps of: 

4 (a) retrieving an unwrapping key from a key register; 

5 (b) retrieving an unwrapping key type; 

^1 (c) determining where to store an unwrapped key; 

'2 (d) retrieving a wrapped key; and 

M (e) unwrapping the wrapped key using the unwrapping key and an algorithm 

M determined by the unwrapping key type. 

jy 22. The method according to claim 19, wherein said step of performing a key management 
^ function includes performing a wrap function, wherein said wrap function includes 

3 the steps of: 

4 (a) retrieving a wrapping key; 

5 (b) retrieving a wrapping key key; and 

6 (c) wrapping the wrapping key using the wrapping key key. 

1 23. The method according to claim 1 9, wherein said step of performing a key management 

2 function includes performing a data encryption function, said data encryption function 

3 includes the steps of: 

4 (a) retrieving data for encryption; 
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5 (b) retrieving an encryption key; and 

6 (c) encrypting the data using the encryption key. 



1 24. The method according to claim 19, wherein said step of performing a key management 

2 function includes performing a data decryption function, wherein said data decryption 

3 function includes the steps of: 

4 (a) retrieving a cipher; 

5 (b) retrieving a decryption key; and 

6 (c) decrypting the cipher using the decryption key. 

25. The method according to claim 19, wherein said step of performing a key management 
function includes performing a data load function, wherein said data load function 
includes the steps of: 

(a) retrieving a plaintext key; 

(b) determining a destination key register; and 

(c) loading the specified plaintext key into the destination key register. 



1 26. The method according to claim 19, wherein said step of performing a key management 

2 function includes performing a register clear function, wherein said register clear 

3 function includes the steps of: 

4 (a) clearing a specified key register; and 

5 (b) clearing an associated type field. 
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1 27. The method according to claim 19, wherein said step of performing a key management 

2 function includes performing an initialize function, wherein said initialize function 

3 includes the steps of: 

4 (a) clearing a multitude of key registers; 

5 (b) storing a specified plaintext key in an indexed key register; and 

6, (c) storing a KK value in the type field associated with the indexed register. 

1 28. The method according to claim 19, wherein said key register is part of a hierarchy of 

2 key registers. 

% 29. The method according to claim 28, wherein said contents of the key register can only 
S be used to wrap the contents of a lower hierarchical level key register. 

^5 30. The method according to claim 28, wherein said hierarchy has more than one root. 

■( 31 . The method according to claim 19, wherein the step of performing a key management 

2 function further includes using a key management algorithm determined by the value 

3 stored in the type field associated with the key register being operated on by said key 

4 management function. 

1 32. The method according to claim 19, further including the step of sharing new keys with 

2 other key management apparatuses using public key negotiation protocols. 



